PCL: A Logic for Security Protocols Anupam Datta Stanford University Secure Software Systems, CMU October 3, 5, 2005

Computer Security uCryptography Encryption, signatures, cryptographic hash, … uSecurity mechanisms Access control policy Network protocols uImplementation Cryptographic library Code implementing mechanisms –Reference monitor and TCB –Protocol Runs under OS, uses program library, network protocol stack Analyze protocols, assuming crypto, implementation, OS correct

Network Security Protocols uTwo or more parties uCommunication over insecure network uCryptography used to achieve goal Exchange secret keys Verify identity (authentication) uExample: SSL (internet banking) Examples of crypto primitives: Public-key encryption, symmetric-key encryption, CBC, hash, signature, key generation, random-number generators

This lecture is about… uNetwork security protocols Internet Engineering Task Force (IETF) Standards –SSL/TLS - web authentication –IPSec - corporate VPNs –Mobile IPv6 – routing security –Kerberos - network authentication –GDOI – secure group communication IEEE Standards Working Groups –802.11i - wireless LAN security –802.16e – wireless MAN security uAnd methods for their security analysis Security proof in some model; or Identify attacks

Why prove security? uExamples of protocol flaws IKE [Meadows; 1999] –Reflection attack; fix adopted by IETF WG IEEE i [He, Mitchell; 2004] –DoS attack; fix adopted by IEEE WG GDOI [Meadows, Pavlovic; 2004] –Composition attack; fix adopted by IETF WG Kerberos V5 [Scedrov et al; 2005] –Identity misbinding attack; fix adopted by IETF WG

Security Analysis uModel system uModel adversary uIdentify security properties uSee if properties preserved under attack uResult No “absolute security” Security means: under given assumptions about system, no attack of a certain form will destroy specified properties.

Important Modeling Decisions uHow powerful is the adversary? Simple replay of previous messages Block messages; Decompose, reassemble and resend Statistical analysis, partial info from network traffic Timing attacks uHow much detail in underlying data types? Plaintext, ciphertext and keys –atomic data or bit sequences Encryption and hash functions –“perfect” cryptography –algebraic properties: encr(x*y) = encr(x) * encr(y) for RSA encrypt(k,msg) = msg k mod N

Security Analysis Methodology Analysis Tool Protocol Property Security proof or attack Attacker model Our tool: Protocol Composition Logic (PCL) SSL authentication -Complete control over network -Perfect crypto 42 line axiomatic proof

Resources: Protocols & Tools uIETF Security Area uIEEE Security Working Groups uStanford CS 259: Security Analysis of Network Protocols Will focus today on one tool: Protocol Composition Logic (PCL)

Protocol Composition Logic: PCL uIntuition uFormalism Protocol programming language Protocol logic –Syntax –Semantics Proof System uExample Signature-based challenge-response uComposition Formulated by Datta, Derek, Durgin, Mitchell, Pavlovic

Intuition uReason about local information I chose a new number I sent it out encrypted I received it decrypted Therefore: someone decrypted it uIncorporate knowledge about protocol Protocol: Server only sends m if it received m’ If server not corrupt and I receive m signed by server, then server received m’

Intuition: Picture uAlice’s information Protocol Private data Sends and receives Honest Principals, Attacker Protocol Private Data

Example: Challenge-Response AB m, A n, sig B {m, n, A} sig A {m, n, B} uAlice reasons: if Bob is honest, then: only Bob can generate his signature. [protocol independent] if Bob generates a signature of the form sig B {m, n, A}, –he sends it as part of msg2 of the protocol and –he must have received msg1 from Alice. [protocol specific] uAlice deduces: Received (B, msg1) Λ Sent (B, msg2)

Formalizing the Approach uLanguage for protocol description Arrows-and-messages are informal. uProtocol Semantics How does the protocol execute? uProtocol logic Stating security properties. uProof system Formally proving security properties. (User view of the logic)

Cords u“protocol programming language” A protocol is described by specifying a “program” for each role –Server = [receive x; new n; send {x, n}] uBuilding blocks Terms (think “messages”) –names, nonces, keys, encryption, … Actions (operations on terms) –send, receive, pattern match, …

Terms t ::=cconstant term xvariable Nname Kkey t, ttupling sig K {t}signature enc K {t}encryption Example: x, sig B {m, x, A} is a term

Actions send t;send a term t receive x;receive a term into variable x match t/p(x);match term t against p(x) uA Cord is just a sequence of actions uNotation: we often omit match actions receive sig B {A, n} = receive x; match x/sig B {A, n}

Challenge-Response as Cords AB m, A n, sig B {m, n, A} sig A {m, n, B} InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

Cord Spaces uCord space is a multiset of cords uCords may react via communication via internal actions uSample reaction steps: Communication: [ S; send t; S’]  [ T; receive x; T’ ]  [ S; S’]  [ T; T’(t/x) ] Matching: [ S; match p(t)/p(x); S’ ]  [ S; S’(t/x) ]

Execution Model Initial configuration Protocol is a finite set of roles Set of principals and keys Assignment of  1 role to each principal Run new x send {x} B receive {x} B A B C Position in run receive {z} B new z send {z} B

Attacker capabilities uControls complete network Can read, remove, inject messages uFixed set of operations on terms Pairing Projection Encryption with known key Decryption with known key … Commonly referred to as “Dolev-Yao” attacker Next lecture: more powerful “crypto-style” attacker

Logical assertions uModal operator  [ actions ] P  - if  holds and P executes actions, then  holds uPredicates in  Send(X,m) - principal X sent message m Receive(X,m) – principal X received message m Verify(X,m) - X verified signature m Has(X,m) - X created m or received msg containing m and has keys to extract m from msg Honest(X) – X follows rules of protocol

Formulas true at a position in run Action formulas a ::= Send(P,m) | Receive (P,m) | New(P,t) | Decrypt (P,t) | Verify (P,t) Formulas  ::= a | Has(P,t) | Fresh(P,t) | Honest(N) | Contains(t 1, t 2 ) |  |  1   2 |  x  |   |   Example After(a,b) =  (b   a)

Semantics uProtocol Q Defines set of roles (e.g, initiator, responder) Run R of Q is sequence of actions by principals following roles, plus attacker uSatisfaction Q, R |   [ actions ] P  If some role of P in R does exactly actions starting from state where  is true, then  is true in state after actions completed Q |   [ actions ] P  Q, R |   [ actions ] P  for all runs R of Q

Security Properties uAuthentication for Initiator CR |  true [ InitCR(A, B) ] A Honest(B)  ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) )

Proof System uGoal: formally prove security properties uAxioms Simple formulas provable by hand uInference rules Proof steps uTheorem Formula obtained from axioms by application of inference rules This is what you will do!

Sample axioms about actions uNew data true [ new x ] P Has(P,x) true [ new x ] P Has(Y,x)  Y=P uActions true [ send m ] P  Send(P,m) uKnowledge true [receive m ] P Has(P,m) uVerify true [ match x/sig X {m} ] P  Verify(P,m)

Reasoning about knowledge uPairing Has(X, {m,n})  Has(X, m)  Has(X, n) uEncryption Has(X, enc K (m))  Has(X, K -1 )  Has(X, m)

Encryption and signature uPublic key encryption Honest(X)   Decrypt(Y, enc X {m})  X=Y uSignature Honest(X)   Verify(Y, sig X {m})   m’ (  Send(X, m’)  Contains(m’, sig X {m})

Sample inference rules uFirst-order logic rules     uGeneric rules  [ actions ] P   [ actions ] P   [ actions ] P   

Bidding conventions (motivation) uBlackwood response to 4NT –5  : 0 or 4 aces –5  : 1 ace –5 : 2 aces –5  : 3 aces uReasoning If my partner is following Blackwood, then if she bid 5, she must have 2 aces

Honesty rule (rule scheme)  roles R of Q.  protocol steps A of R. Start(X) [ ] X   [ A ] X  Q |- Honest(X)   This is a finitary rule: –Typical protocol has 2-3 roles –Typical role has 1-3 receives –Only need to consider A waiting to receive

Honesty rule (example use)  roles R of Q.  protocol steps A of R. Start(X) [ ] X   [ A ] X  Q |- Honest(X)   Example use: –If Y receives a message m from X, and –Honest(X)  (Sent(X,m)  Received(X,m’)) –then Y can conclude Honest(X)  Received(X,m’)) Proved using honesty rule

Correctness of CR CR |- true [ InitCR(A, B) ] A Honest(B)  ActionsInOrder( Send(A, {A,B,m}), Receive(B, {A,B,m}), Send(B, {B,A,{n, sig B {m, n, A}}}), Receive(A, {B,A,{n, sig B {m, n, A}}}) ) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

Correctness of CR – step 1 1. A reasons about her own actions CR |- true [ InitCR(A, B) ] A  Verify(A, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

Correctness of CR – step 2 2. Properties of signatures CR |- true [ InitCR(A, B) ] A Honest(B)   m’ (  Send(B, m’)  Contains(m’, sig B {m, n, A}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Recall signature axiom

Correctness of CR – Honesty Invariant proved with Honesty rule CR |- Honest(X)   Send(X, m’)  Contains(m’, sig x {y, x, Y})    New(X, y)  m= X, Y, {x, sig B {y, x, Y}}   Receive(X, {Y, X, {y, Y}}) InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Induction over protocol steps

Correctness of CR – step 3 3. Use Honesty invariant CR |- true [ InitCR(A, B) ] A Honest(B)   Receive(B, {A,B,m}),… InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ]

Correctness of CR – step 4 4. Use properties of nonces for temporal ordering CR |- true [ InitCR(A, B) ] A Honest(B)  Auth InitCR(A, X) = [ new m; send A, X, {m, A}; receive X, A, {x, sig X {m, x, A}}; send A, X, sig A {m, x, X}}; ] RespCR(B) = [ receive Y, B, {y, Y}; new n; send B, Y, {n, sig B {y, n, Y}}; receive Y, B, sig Y {y, n, B}}; ] Nonces are “fresh” random numbers

Complete proof

We have a proof. So what? u Soundness Theorem: if Q |-  then Q |=  If  is a theorem then  is a valid formula u  holds in any step in any run of protocol Q Unbounded number of participants Dolev-Yao intruder

Weak Challenge-Response AB m n, sig B {m, n} sig A {m, n} InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

Correctness of WCR – step 1 1. A reasons about it’s own actions WCR |- [ InitWCR(A, B) ] A  Verify(A, sig B {m, n}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

Correctness of WCR – step 2 2. Properties of signatures CR |- [ InitCR(A, B) ] A Honest(B)   m’ (  Send(B, m’)  Contains(m’, sig B {m, n, A}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

Correctness of WCR – Honesty Honesty invariant CR |- Honest(X)   Send(X, m’)  Contains(m’, sig x {y, x})    New(X, y)  m= X, Z, {x, sig B {y, x}}   Receive(X, {Z, X, {y, Z}}) InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

Correctness of WCR – step 3 3. Use Honesty rule WCR |- [ InitWCR(A, B) ] A Honest(B)   Receive(B, {Z,B,m}), InitWCR(A, X) = [ new m; send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespWCR(B) = [ receive Y, B, {y}; new n; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

Result uWCR does not have the strong authentication property for the initiator uCounterexample Intruder can forge senders and receivers identity in first two messages –A -> X(B)m –X(C) -> Bm –B -> X(C) n, sig B (m, n) –X(B) ->An, sig B (m, n)

Protocol Composition Logic: PCL uIntuition uFormalism Protocol programming language Protocol logic –Syntax –Semantics Proof System uExample Signature-based challenge-response uComposition uComputational Soundness

Compositional Security uAssigned readings: A. Datta, A. Derek, J. C. Mitchell, D. Pavlovic. A derivation system and compositional logic for security protocols C. He, M. Sundararajan, A. Datta, A. Derek, J. C. Mitchell. A Modular Correctness Proof of TLS and IEEE i uPerspective: C. Meadows. Open issues in formal methods for cryptographic protocol analysis. J. M. Wing. Beyond the horizon: A call to arms.

ISO Key Exchange uAuthentication Do we need to prove it from scratch?  Shared secret: g ab AB g a, A g b, sig B { g a, g b, A} sig A { g a, g b, B} Goal: Combine proofs of Diffie-Hellman and challenge- response sub-protocols

Abstract challenge response uFree variables m and n instead of nonces  Modal form:  [ actions ]  precondition: Fresh(A,m) actions: [ InitACR ] A postcondition: Honest(B)  Authentication uSecrecy is proved from properties of Diffie-Hellman InitACR(A, X, m) = [ send A, X, {m}; receive X, A, {x, sig X {m, x}}; send A, X, sig A {m, x}}; ] RespACR(B, n) = [ receive Y, B, {y}; send B, Y, {n, sig B {y, n}}; receive Y, B, sig Y {y, n}}; ]

Diffie-Hellman: Property uFormula utrue [ new a ] A Fresh(A, g a ) uDiffie-Hellman property: uCan compute g ab given g a and b or g b and a uCannot compute g ab given g a and g b

Challenge Response: Property uModal form:  [ actions ] P  precondition: Fresh(A,m) actions: [ Initiator role actions ] A postcondition: Honest(B)  ActionsInOrder( send(A, {A,B,m}), receive(B, {A,B,m}), send(B, {B,A,{n, sig B {m, n, A}}}), receive(A, {B,A,{n, sig B {m, n, A}}}) )

Composition: DH+CR = ISO Additive Combination uDH post-condition matches CR precondition uSequential Composition: Substitute g a for m in CR to obtain ISO. Apply composition rule ISO initiator role inherits CR authentication. uDH secrecy is also preserved Proved using another application of composition rule. Nondestructive Combination DH and CR satisfy each other’s invariants

Composing protocols DH  Honest(X)  … ’’  |- Secrecy  ’ |- Authentication  ’ |- Secrecy  ’ |- Authentication  ’ |- Secrecy  Authentication [additive] DH  CR   ’ [nondestructive] ISO  Secrecy  Authentication = CR  Honest(X)  … Sequential and parallel composition theorems

Composition Rules uInvariant weakening rule  |-  […] P     ’ |-  […] P  uSequential Composition  |-  [ S ] P   |-  [ T ] P   |-  [ ST ] P  uProve invariants from protocol Q   Q’   Q  Q’  

Composition: Big Picture Protocol Q Safe Environment for Q Q1Q1 Q2Q2 Q3Q3 QnQn Q |- Inv(Q) Inv(Q) |-  Q i |- Inv(Q) No reasoning about attacker …

802.11i:Staged Composition uControl Flow Intended run is sequential Different Failure Recovery mechanisms can be implemented for efficiency Periodically update Group Key, PTK, PMK (omit here) uHybrid modes Pre-Shared Key (PSK) used directly instead of EAP authentication methods Cached PMK might be used for mobile users Alternatives for EAP-TLS, e.g., PEAP, LEAP Data Transmission Group Key 4-Way EAP-TLS PMK PTK GTK

802.11i Proof Structure Step 1.  i,  j |- θ i [P i ] X  i Separate proof of individual components TLS, 4-Way, and Group Key Handshake; Step 2.  i, j, Q i |-  j Necessary invariants are satisfied by all components; Step 3.  i,  i  θ i+1 The postcondition of TLS implies precondition of 4-Way; postcondition of 4-Way implies precondition of Group Key; Step 4.  i, θ i [B] X θ i The preconditions of each component are preserved by subsequent components. Applying the Staged Composition Theorem, i is secure

Protocol Composition Logic: PCL uIntuition uFormalism Protocol programming language Protocol logic –Syntax –Semantics Proof System uExample Signature-based challenge-response uComposition uComputational Soundness

Computational PCL uSymbolic proofs about complexity- theoretic model of cryptographic protocols!

Symbolic model [NS78,DY84,…] Complexity-theoretic model [GM84,…] Attacker actions-Fixed set of actions, e.g., decryption with known key (ABSTRACTION) + Any probabilistic poly-time computation Security properties-Idealized, e.g., secret message = not possessing atomic term representing message (ABSTRACTION) + Fine-grained, e.g., secret message = no partial information about bitstring representation Analysis methods+ Successful array of tools and techniques; automation - Hand-proofs are difficult, error-prone; no automation Can we get the best of both worlds? Two worlds

Our Approach Protocol Composition Logic (PCL) Syntax Proof System Symbolic “Dolev-Yao” model Semantics Computational PCL Syntax ±  Proof System ±  Complexity-theoretic model Semantics Talk so far… Leverage PCL success…

Main Result uComputational PCL Symbolic logic for proving security properties of network protocols using public-key encryption uSoundness Theorem: If a property is provable in CPCL, then property holds in computational model with overwhelming asymptotic probability. uBenefits Symbolic proofs about computational model Computational reasoning in soundness proof (only!) Different axioms rely on different crypto assumptions

ISO Key Exchange  Shared secret to be used as key: AB g a, A g b, sig B { g a, g b, A} sig A { g a, g b, B} Roughly: A, B have g ab and for everyone else it is indistinguishable from a random key g r

Central axioms uCryptographic security property of signature scheme Unforgeability (used for authentication) uCryptographic security property of Diffie-Hellman function DDH (used to prove secrecy)

CMA-Secure Signatures ChallengerAttacker mi Sig(Y,mi) Sig(Y,m) Attacker wins if m  mi

Decisional Diffie-Hellman Let a, b, c be chosen at random from a group G with generator g. Then the two distributions and are computationally indistinguishable (no polynomial time attacker can tell them apart)

Complete Proof

PCL  Computational PCL uSyntax, proof rules mostly the same But not sure about propositional connectives… uSignificant difference Symbolic “knowledge” –Has(X,t) : X can produce t from msgs that have been observed, by symbolic algorithm Computational “knowledge” –Possess(X,t) : can produce t by ppt algorithm –Indistinguishable(X,t) : can distinguish from random in ppt More subtle system: some axioms rely on CCA2, some are info-theoretically true, etc.

Complexity-theoretic semantics uQ |=  if  adversary A  distinguisher D  negligible function f  n 0  n > n 0 s.t. [[  ]](T,D,f) T(Q,A,n) [[  ]](T,D,f(n)) |/|T| > 1 – f(n) Fraction represents probability Fix protocol Q, PPT adversary A Choose value of security parameter n Vary random bits used by all programs Obtain set T=T(Q,A,n) of equi-probable traces

Inductive Semantics  [[  1   2 ]] (T,D,  ) = [[  1 ]] (T,D,  )  [[  2 ]] (T,D,  )  [[  1   2 ]] (T,D,  ) = [[  1 ]] (T,D,  )  [[  2 ]] (T,D,  )  [[   ]] (T,D,  ) = T - [[  ]] (T,D,  ) Implication uses conditional probability  [[  1   2 ]] (T,D,  ) = [[   1 ]] (T,D,  )  [[  2 ]] (T’,D,  ) where T’ = [[  1 ]] (T,D,  ) Formula defines transformation on probability distributions over traces

Soundness of proof system uExample axiom Source(Y,u,{m}X)   Decrypts(X, {m}X)  Honest(X,Y)  (Z  X,Y)  Indistinguishable(Z, u) uProof idea: crypto-style reduction Assume axiom not valid:  A  D  negligible f  n 0  n > n 0 s.t. [[  ]](T,D,f)|/|T| < 1 –f(n) Construct attacker A’ that uses A, D to break IND-CCA2 secure encryption scheme Conditional implication essential

Logic and Cryptography: Big Picture Complexity-theoretic crypto definitions (e.g., IND-CCA2 secure encryption) Crypto constructions satisfying definitions (e.g., Cramer-Shoup encryption scheme) Axiom in proof system Protocol security proofs using proof system Semantics and soundness theorem

Summary: PCL uProving security properties of network protocols is important! uFormalism Protocol programming language Protocol logic –Syntax – stating security properties –Semantics – meaning of security properties Proof System –proving security properties uExamples Signature-based challenge-response, ISO, i uComposition Modular proofs uComputational Soundness Symbolic proofs about complexity-theoretic model

Thanks ! Questions?